Think of DNS tunneling like stuffing secret notes inside the envelopes of routine mail. The post office sees only envelopes, so the notes slip through. Consumer VPN and “free net” apps use the same trick with DNS queries and responses to bypass filters. On a protected network, that stunt shows up as odd, repetitive lookups to a single domain or clusters of subdomains that were never meant for everyday browsing.

Below, we present an analysis of several domains and applications that depend on, or are closely linked to, DNS tunneling or related covert transport mechanisms. We'll then cover how the  ThreatSTOP Protective DNS protection effectively intercepts this traffic before it poses a risk. I intentionally omitted discussing all the applications we monitor and control, so I’ve selected the five that caught my attention this morning.

What we observed

AM TUNNEL PLUS and ammoplus[.]xyz

Screenshot 2025-09-09 at 10.58.27

 

 

Zedtunnel VPN and zedtunnel[.]com

Screenshot 2025-09-09 at 11.01.48

  • App: Zedtunnel VPN, positioned as “Unlimited Free SSH and SlowDNS VPN.”

  • DNS tunneling: Strong. The app advertises a DNS mode and references SlowDNS or DNSTT. Community reports describe “free browsing” by selecting DNS-based presets.  Easily able to bypass your corporate security controls.

  • Infra notes: Domain used as a rendezvous for tunnel traffic, often with queries to subdomains carrying encoded payloads. Historical DNS places it on a VPS

Let's pause and chat about this "SlowDNS" term:

DNS Tunneling Functionality (“SlowDNS”)

Zedtunnel VPN implements a DNS tunnel protocol referred to as “Slow DNS” or DNSTT. (In community slang, “SlowDNS” has become a generic term for DNS-based free internet tricks, highlighting that it’s usually much slower than normal internet) DNSTT stands for “DNS Tunnel Turbo” – an open-source protocol that carries data in DNS TXT records and can also leverage DNS over HTTPS/TLS for stealth . Zedtunnel’s inclusion of a “Slow DNSTT protocol” mode indicates that when a user activates this mode, the app will perform DNS lookups for subdomains of zedtunnel[.]com (or related domains controlled by the service) that encode the user’s traffic. On the server side, an authoritative DNS server for zedtunnel[.]com (running a tunneling daemon) answers those queries with crafted DNS responses that carry the tunneled data. This effectively creates a VPN-like link over DNS.

How zedtunnel[.]com is used in DNS tunneling: Typically, the app will have configured zedtunnel[.]com (or a subdomain) as the tunnel domain. For example, it might query something like "wlk7krraa6lqd2g2pdy5tttavr4q.sgt1.zedtunnel[.]com".  The queries are routed by the device’s resolver (often the ISP’s DNS server) up to the authoritative nameserver for zedtunnel[.]com. Using DNSTT, the payload is placed in DNS records (commonly TXT records, for example:

\000\026\015 /XQ\000@\000-fKY<\000\000\000M\000\000\000\002\000\000\000\000\024\0000\015

/XQ\000@\000-fKY=\000\000\000M\000\000\000\024\000\000\000\198;\232\222\132G\020J\145\142

\003\165Z\230\001\150\231hv\183E\194\192\025\000J\015 /XQ\000@\000\140mKY<\000\000\000M

\000\000\000\002\000\000\000\000\024\015 /XQ\000@\000\140mKY=\000\000\000M\000\000\000

\024\000\000\000\198;\232\222\132G\020J\145\142\003\165Z\230\001\150\231hv\183E\194\192

\025\000J\015 /XQ\000@\000J|KY<\000\000\000M\000\000\000\002\000\000\000\000\024\015

/XQ\000@\000J|KY=\000\000\000M\000\000\000\024\000\000\000\198;\232\222\132G\020J\145

\142\003\165Z\230\001\150\231hv\183E\194\192\025\000\026\015 /XQ\000@\000=\141KY>

\000\000\000M\000\000\000\002\000\000

... Rather than standard A record lookups. DNS tunnels have high overhead and latency, hence the moniker “SlowDNS.” Users on forums have acknowledged this is primarily useful for basic connectivity when you have no data plan. 

From a technical evidence standpoint, if one monitors network traffic on a device using Zedtunnel’s DNS mode, they would observe a flurry of DNS queries to zedtunnel[.]com (or its subdomains), often with very long or unusual-looking subdomain strings (these carry the encoded data). 

ployvpn[.]uk and slow-ss5.ployvpn[.]uk

  • Distribution: The ployvpn[.]uk DNS tunnel is utilized via custom tunneling apps rather than a standalone product.

    • The domain ployvpn[.]uk appears tied to a community-run mobile VPN/tunneling service (again, Android-focused). It is referenced in free “Slow DNS” configurations shared on Telegram, particularly in Southeast Asian free-internet communities. 

  • DNS tunneling:

    • The Telegram leak provides strong evidence that ployvpn[.]uk’s service uses DNS tunneling. The config explicitly labels Slow DNS parameters and even provides a DNS Public Key (a 64-hex string).

    • What a query looks like:
      • 3evvzyzqjvqazyyasj7ieyd6doifcacaaa3liaaa7mbaaaghaaaaa2qaaaakbtl.
      • yivqy7mzxxllsdh3nt6sr4y4yii7nnculkmpfb6hqkxdaijte537zca2s33wwim.
      • y7qgd5niwndg7ysxonwpgd2pnanu4nq2npw7yo2yk3yytztonebcactymgvcogf.
      • lgcjkzz36ckqdudt5wtdrdvztsizonphyns2a53g.slow-ss5.ployvpn[.]uk

sergan[.]xyz and b.sergan[.]xyz

  • Distribution: Sergan[.]xyz appears to be another domain used in the DNS-tunneling VPN ecosystem, though it is more obscure. We did not find an official VPN product named “Sergan,” indicating this is likely an infrastructure domain rather than a consumer-facing brand. Its use has been noted in contexts similar to ployvpn[.]uk – i.e. configuration files or account credentials for SSH-over-DNS services. Given the naming and TLD, sergan[.]xyz is likely run by an individual or small group (XYZ domains are low-cost).

  • DNS tunneling

    • What a query looks like:
      • gzjsoxeeznw65y2kxqueqztvd6sfcabaaaqqkaaaaeaaaaaaaaaaamaaaaacq2o.
      • h6w5hpehoaepr7u42k45hcj45liniczl2sotulmozn7hm4heodmwlojj4npbc4l.
      • 2hvyjysmi6.b.sergan[.]xyz

xyclops[.]cloud and fns2.xyclops[.]cloud

  • Distribution: Shared “SSH SlowDNS account” posts list fns2.xyclops[.]cloud:53 with a public key, a direct indicator of DNSTT-style DNS tunneling.

    •  We found a concrete reference in a Telegram channel that shared an “SSH SLOW DNS ACCOUNT” using xyclops[.]cloud. The snippet shows credentials with a server address fns2.xyclops[.]cloud:53 and an accompanying Name-Server set to fns2.xyclops[.]cloud, plus a Public Key.

    • Xyclops[.]cloud’s operation aligns with SlowDNS/DNSTT techniques. The account shared (jfree:828382 in the example) is an SSH login, meaning once the DNS tunnel is established, the user can SSH to the server (often 127.0.0.1 at some forwarded port) to actually proxy traffic. The DNS patterns here would involve the client encoding SSH payloads into a series of DNS queries to fns2.xyclops[.]cloud, which is likely authoritative for the xyclops[.]cloud domain.

  • DNS tunneling

    • What a query looks like:
      • c5i7orsthxtvry63p5jeqpjdqkcvcaaaaqbaaaaaaeaaaaaaaaaaamaaaaadwxl.
      • viqpch6flamf37isn74bqyomalyfvfrzn2hpecica45nxkpgjn7q3zfrqoswdvx.
      • i7hdxxg7hg.fns2.xyclops[.]cloud

Pingle VPN and pingle[.]one

  • App:  In contrast to the above, pingle[.]one is the domain of a legitimate commercial VPN service called Pingle VPN. Pingle is an emerging VPN provider focusing on censorship-heavy markets (Russia, China, Turkmenistan, etc.), and it offers apps for multiple platforms (Android, iOS, Windows, etc.). The service is professionally developed – the website touts modern proxy protocols and even Web3 integrations (they provide an IPFS link and an Ethereum Name Service domain to reach their site if the main domain is blocked). Pingle’s inclusion in this list is interesting, as it’s not an underground free-tunnel like the others; however, Pingle explicitly markets itself as working in the “strictest internet censorship” environments. This implies Pingle has to use creative techniques to connect – possibly including DNS-based tunneling as a fallback.

  • Transport: Focus on TLS obfuscation, Cloudflare CDN usage, and alternate reachability methods.

  • DNS tunneling

    • What a query looks like:
      • usuxegfmy5jgtyyq247bvpm2u22vcaaaafiqaaaaaaaaaaaaaaaaaaqaaaaaama.
      • t.pingle[.]one

Why this matters to defenders

DNS tunneling gives endpoints a covert path off your network. Even if the intent is simply to bypass a captive portal, the effect is the same as a policy violation. Repeated, high-entropy queries to a single uncommon domain or many long subdomain labels are hallmark signs. On corporate networks, this traffic can undermine monitoring and allow unapproved data extraction.

How ThreatSTOP stops it

Protective DNS

  • DNS Defense Cloud and DNS Defense apply thousands of ThreatSTOP Security, Intelligence, and Research team protections in real time.

  • We maintain protections against DNS Tunnels, as well as command and control, data exfiltration, proxy and anonymizer infrastructure phishing, SPAM, peer-to-peer abuse, invalid traffic, and DDoS staging.

  • When domains like the ones above are classified as tunneling infrastructure or high risk, Protective DNS blocks lookups at the resolver. That prevents the tunnel from establishing because the client never reaches the authoritative DNS under the attacker or operator’s control.

  • Our protections update continuously so newly observed tunnel endpoints and subdomains can be interdicted quickly.

Operational outcomes

  • Stop unauthorized VPNs and shadow IT tunnels at the first packet that matters.

  • Reduce exfiltration risk by denying covert channels.

  • Improve incident response with clear indicators. 

Practical guidance for your team

  • Monitor for patterns: Sudden spikes of DNS queries to a single domain, very long subdomain labels, repetitive TXT lookups, and persistent queries at short intervals.

  • Block by policy: Treat DNS tunneling apps as unapproved network proxies. If your acceptable use policy forbids them, enforce with Protective DNS and IP Defense.

  • Triage quickly: Identify the host using the tunnel, remove the app, and validate that no sensitive data left the environment.

  • Hunt IOCs:

    • ammoplus[.]xyz

    • zedtunnel[.]com

    • ployvpn[.]uk

    • sergan[.]xyz

    • xyclops[.]cloud

    • pingle[.]one

     

Move the needle

For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers. Get started with a Demo today.

Connect with Customers, Disconnect from Risks

 

MITRE ATT&CK mapping for DNS tunneling and related covert transports

 

ATT&CK Tactic

Technique

Why it applies in this context

Command and Control

Application Layer Protocol: DNS (T1071.004)

DNS queries and responses are used as the C2 and data channel in SlowDNS and DNSTT modes.

Command and Control

Encrypted Channel (T1573)

DNSTT and many tunnel apps encrypt payloads inside DNS to prevent content inspection.

Command and Control

Proxy (T1090)

Tunneling apps act as unauthorized proxies to external infrastructure.

Exfiltration

Exfiltration Over C2 Channel (T1041)

Data can be moved out over the same DNS tunnel used for control.

Exfiltration

Exfiltration Over Alternative Protocol (T1048)

DNS is used as an alternative protocol to move data when other traffic is blocked.

Defense Evasion

Obfuscated/Compressed Data (T1027) and Data Obfuscation (T1001)

Payloads are encoded in subdomain labels or TXT records to evade simple detection.

Discovery and Resource Development

Domain and DNS Infrastructure are repurposed for covert transport

Use of custom authoritative DNS and dynamic subdomains supports the tunnel channel.